Upcoming changes for GDPR compliance in XF1 and XF2

The General Data Protection Regulation (GDPR) is soon upon us. But, what is it? Does it apply to your site? How can XenForo help you with compliance in the key areas of the regulation? This "Have you seen" thread will aim to clear up some of these questions, and give you a preview of what is coming up in XenForo 1.5.20 and XenForo 2.0.6.

What is the GDPR?
The GDPR is a European Union (EU) regulation that has been designed to protect the data and privacy of EU residents. It strengthens and replaces existing data protection acts/directives and becomes enforceable from 25th May 2018. The primary aim is to give control to EU residents over their personal data and unify regulation within the EU.

But I'm not an EU resident...
That may be true, but with over half a billion residents in 28 member states, it's a fairly reasonable expectation that at some point you will have an EU resident register on your forum and they will indeed be protected by this regulation and breaches of the regulation can bring penalties and fines against you, whether you're an EU resident, or not. Even so, data protection and privacy will be important to every one of your members, regardless of their country of origin.

How can we help?
Depending on your interpretation of the guidelines and how you specifically use your member's data, there isn't much more to add to help you comply with these regulations. That said, this would be a pretty boring post without some new things to show you so we will explain some of the new features below and how they help you, as a data controller, to comply with the regulations.


Individual rights

Right to erasure

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Unfortunately, erasure does not relate to a 1980s pop duo but instead it relates to the inevitability that at some point, one of your members may want to leave your forum and in doing so, may want to have their personal data removed. This is also known as the "right to be forgotten".

Of course XenForo has always allowed you to delete members via the Admin CP, and this approach is still recommended, but this has traditionally left their content attributed to them. You have always been able to workaround this by changing the user's name prior to deleting the user. Although we're not at this stage looking to totally remove the user's content, we are making it easier to anonymise a deleted user's content.

When deleting a user, you will now be given the option to just delete them (as now) or change their name before deleting them. You can choose the pre-defined text (which is the content of the deleted_member phrase in your language, followed by their user_id) or change it manually to whatever name you prefer.


Right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

Technically, under certain laws in certain countries, the right for a user to request a copy of any personal information held by a data controller has always been necessary. The main difference now is that the information should be provided to the data subject in a machine readable format.

Starting with the next release, it will be possible for admins to generate an XML file containing a user's personal information, including those entered in custom user fields. The XML file produced can be imported into any other XF1 or XF2 forum running an appropriate version.


Right to be informed

• You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
• You must provide privacy information to individuals at the time you collect their personal data from them.
• You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

XenForo already has functionality to enable you to edit your terms and rules, provides you with tools for you to create a privacy policy (help pages, page nodes) and present that information when they are registering. In the next releases we are somewhat expanding these features.

The first step is to start providing a default privacy policy, via a help page, similar to how we also provide a default terms and rules page. If you already have a privacy policy URL, we will continue to link to this. If you do not, then we will start displaying the new default policy link in the appropriate places. After upgrading, if you do not want or need a privacy policy then you can disable it in options.


Lawful basis for processing

Consent

• Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
• Keep evidence of consent – who, when, how, and what you told people.

On a similar subject to the previous "Right to be informed" section, consent must apply to things such as the privacy policy and terms and rules. In XF2 we already seek this consent if you have a privacy policy or terms and rules URL configured. In XF1, however, we only did this if a terms and rules URL was configured. In XF2, there was no checkbox to consent to these, but in XF1 there was.

There are obvious inconsistencies there, so in the next releases we have taken a more consistent approach during registration:

We already make it possible for a user to opt-in to or opt-out of receiving site emails using the "Receive site mailings" option under "Preferences", which can of course be set or un-set by default for new users under Options > User registration. That preference remains, though we have changed its name slightly. We've also added a new admin option (again, under "User registration") to enable you to show that preference on registration:

To enable you to keep evidence of consent, we will log the consent date for acceptance of the terms and rules and privacy policy in the "User change log". We will also log if a user chooses explicitly opt in to receiving emails.

In the current version, user change logs are only kept for a period of 60 days (by default) so we have made changes here to ensure that certain change logs are "protected". These protected entries are never pruned and they are displayed differently in the log (denoted by the left feature border):

In these releases, we are also making it possible to ask users to re-accept terms and rules or privacy policies. Because we provide the ability to use any URL as your terms or privacy policy, and because the default policies are editable by changing phrases or templates, the most explicit approach to triggering re-acceptance is having a specific page for each under Communication > Help in the Admin CP:

Once you click "Save" any users will be prompted to re-accept the respective policy. They will not be able to continue using the site until they do. If you use the default page then the policy will be displayed on the page:

Cookies

The rules on cookies are in regulation 6. The basic rule is that you must:

• tell people the cookies are there;
• explain what the cookies are doing and why; and
• get the person’s consent to store a cookie on their device.

We have, for many years, shown a notice to users on their first visit explaining that cookies will be set. This notice was only shown on the very first page load before it disappeared. This should be fine, in most cases, though we've decided to make some improvements for the next release to make the usage of cookies more clear, and to require the notice to be dismissed:

Interestingly, this notice doesn't appear as a block notice at the top of the page, and it doesn't appear in the bottom right corner as a floating notice. Instead, we've created an entirely new position called "Fixed". This notice position is actually fixed at the very bottom of the page and full width (similar to the inline mod bar). You can even use this position for any notice you create.

The default help page for cookies has been expanded with more detailed information about what cookies are set, and why.


And that brings us to the end of this GDPR-centric Have you seen thread!

Due to the fairly large number of changes in these releases, we will first be releasing beta versions on Tuesday 8th May which will be available to all customers with an active license, while aiming for a final and stable release on Tuesday 22nd May.

As ever, with Have you seen threads, please post any suggestions in the suggestion forum (one thread per suggestion).

 

[BassMan]

Ok, I'll think about it.

Thank you.

 

[Slavik]

I can't remember the exact wording of the law off of the top of my head. But, I believe it mentions both a human and machine-readable format.

Please stop posting incorrect information without checking it first. This topic already has enough people needlessly losing their minds.

The requirements for data portability are:

• structured;
• commonly used; and
• machine-readable.

The XML meets these requirements easily.

Really need to find better position cookie notice:


Before that, I'm not sure about upgrading...

The location is where most sites are placing it, I dont think changing it would be realistic. *edit, ninjaed by chris*

 

[BassMan]

Just one more:

If this is unchecked will users still get an email if this below is set like this:

Sorry, I could test it myself, but...


Is default setting for sending email on new posts in watched threads ok with GDPR?

 

[imno007]

The US is going to be watching to see what happens, and since the govt already wants to regulate social media, then there is a pretty good chance that the US will come out with their own GDPR version in the future, so if your legs are not cut off by the EU, now, then the US will cut you up later.

I don't know about that. Remember that just last year the Senate approved ISP's being able to sell customers' information without their consent.

 

[Davyc]

Is default setting for sending email on new posts in watched threads ok with GDPR?

To be safe I've just disabled all of these and if they want to opt in they can from their account settings. Same with all the other settings in that group either changed to no or members only.

 

[BassMan]

Hm, yes, but I believe this could lead to a less user engagement. But I guess I'll be doing the same thing.

 

[Assadi]

Please stop posting incorrect information without checking it first. This topic already has enough people needlessly losing their minds.

The requirements for data portability are:

• structured;
• commonly used; and
• machine-readable.

The XML meets these requirements easily.

Please read the post correctly next time before using a weird passive aggressive tone; I have yet to post misleading information.

I agree with you and you would have seen that, in addition to saying that XML is a most definitely a machine readable format, I gave an argument for it being human readable based on it having been an industry standard for configuration as well as data definitions and the like.

My post was in defense of XML from both sides of the equation.

The only stipulation there was that it is my opinion that json is even more ubiquitous, readable, and parsable.

 

[Kirby]

@BassMan
Those E-Mails are transactional, eg. they happen because of an action performend by the user so IMHO this should not be an issue yet

 

[Sim]

The only stipulation there was that it is my opinion that json is even more ubiquitous, readable, and parsable.

FWIW, I actually agree on this one.

One of the biggest limitations of XML (which was supposed to "save the world") was that as great as it was for being machine readable, it was very much NOT human readable. A technical person would do okay with a small XML file, but anyone non-technical would be very confused by the structure of it. Nobody can read a more complex XML file.

JSON is much more human-friendly which is why I think it has become the defacto standard for structured data - it's simply so much easier to work with (even for technical people).

I would strongly advocate for having the ability to output a JSON file.

Heck, even a .ini file format would achieve everything we need and be far more intuitive for anyone requesting it than an XML file (would still suggest JSON as a better alternative though)

 

[Sim]

@BassMan
Those E-Mails are transactional, eg. they happen because of an action performend by the user so IMHO this should not be an issue yet

Agree - those are transactional emails and as such are perfectly fine.

 

[Kirby]

JSON is much more human-friendly which is why I think it has become the defacto standard for structured data - it's simply so much easier to work with (even for technical people).

Kinda OT and might be just me, but actually I find XML easier to work with than JSON (if human procesing is necessary, for machine processing I'd definitly prefer JSON).

 

[BassMan]

@BassMan
Those E-Mails are transactional, eg. they happen because of an action performend by the user so IMHO this should not be an issue yet

Thank you. So your opinion is that this should be ok?

I unticked news and update emails. I also set it as unticked on a registration form.

 

[Sim]

I unticked news and update emails.

I would argue that news and update emails are critical to the operation of the site - people need to be alerted to changes in functionality or issues which may affect them.

So long as you aren't sending emails for marketing purposes (you'd be better off with a 3rd party newsletter service for that anyway IMO), it can easily be argued that such emails are important - especially if they announce things such as updates to privacy policies

That being said, you could alternatively just over-ride the "Receive news and update emails" when sending critical alerts out via email:

Either way I think it depends on how you intend to contact your users and the nature of the emails you will send using this system as to whether you need to default to having that turned off.

 

[Kirby]

@BassMan

But as said before, tis is just my personal opionion.

 

[AndrewSimm]

The export user does not include connect accounts. I would think it should?

 

[threadloom]

@Chris D: Thanks for this helpful release. We upgraded our forum tonight to 1.5.20 beta. I've deselected the registration default for "receive news and update emails" but when I test the user registration flow in incognito mode, it still default checks that option. Am I doing something wrong?

 

[Davyc]

I believe that how you adjust your settings for pre-registration assumptions will always be a contention of opinion, but it is always better to err on the side of caution and tell your members that they can change these settings in their user account. This is how I have set my own pre-registration check boxes:

One of the reasons I have done this for is because checking these boxes to receive emails can be viewed as 'implied' consent rather than being given the option to opt-in. The other reason is that for newbies they may be wondering why they are receiving so many emails and may find this intrusive; more so if they are (rightly or wrongly) using a work email address.

It would be better to tell your users what options they have and direct them to the preferences section of their account and let them make their own minds up of how they want to receive various communications - they may prefer alerts rather than emails.

Just my two-penneth and erring of the right side of the GDPR rather than assuming I'm right in what I'm doing - user choice is the better option IMHO.

 

[BassMan]

It would be better to tell your users what options they have and direct them to the preferences section of their account and let them make their own minds up of how they want to receive various communications - they may prefer alerts rather than emails.

 

[Chris D]

@Chris D: Thanks for this helpful release. We upgraded our forum tonight to 1.5.20 beta. I've deselected the registration default for "receive news and update emails" but when I test the user registration flow in incognito mode, it still default checks that option. Am I doing something wrong?

Please try to post support questions in a separate thread or bug report so we don't miss them

As it happens, you're right, there's a bug in the template because I forgot how XF1 works

(sorted for the next release)

 

[threadloom]

Please try to post support questions in a separate thread or bug report so we don't miss them

As it happens, you're right, there's a bug in the template because I forgot how XF1 works

(sorted for the next release)

Sorry about the incoming vector, and thanks for taking a look and confirming. I'll turn off the force agreement for now.